FRISK Software International


Summary of VBS/Tam
Alias:Out, I-Worm.Kakworm.d
Discovered: 17 Oct 2000
 
Jump to:
Brief description
Technical description

Brief Description
VBS/Tam is a worm similar to JS/Kak. It uses the same security vulnerability to infect the system.

Microsoft has released a patch that fixes this vulnerability. It is available at http://www.microsoft.com/security/Bulletins/ms99-032.asp


Technical Description
VARIANT: Tam.A

If an infected message is viewed, the worm creates a file, "tam.hta", to the startup directory of French version of Windows 9x ("C:\Windows\Menu démarrer\programmes\démarrage"). This file is executed when the system is restarted.

When the "tam.hta" is executed, it deletes file "c:\windows\out.html" if it exists. Then the worm creates a new file using the same file name. This file contains the worm code.

Next VBS/Tam.A checks if a file "out.hta" exists in the Windows directory, and if not, it copies the "tam.hta" there and hides "tam.hta".

The copied "out.hta" will be added to the registry, so it will be executed in each time when the system is restarted.

The worm replaces the signature settings of Outlook Express 5.0 with its own, so every email sent will contain the worm.

At August 30th, the it shows the following message four times:

    Bon Anniversaire Lac !!!
          Un ami...
Depending on time user spends between the first and the last message box, the worm executes two different payloads.

The first one is activated if time is greater than 10 seconds, when the following message box is shown:

    Ok, chante HappyBirthday tout ira bien!!!
Otherwise, VBS/Tam.A shows the following message

    KOI??? Ca t'interresse pas? Tu n'es pas digne du monde informatique. BYE-BYE
and shuts down Windows.


[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; October 2000]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is